From e26911f403c8c462848af72db2122adbcc533808 Mon Sep 17 00:00:00 2001
From: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Date: Tue, 29 Oct 2024 18:48:42 +0100
Subject: [PATCH] ci: keep contents read permissions in jobs

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
---
 .github/workflows/build.yml   | 4 ++++
 .github/workflows/codeql.yml  | 1 +
 .github/workflows/labeler.yml | 3 +++
 3 files changed, 8 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 229cbb9f20c..b0bf211290e 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -227,6 +227,8 @@ jobs:
   govulncheck:
     runs-on: ubuntu-24.04
     permissions:
+      # same as global permission
+      contents: read
       # required to write sarif report
       security-events: write
     steps:
@@ -372,6 +374,8 @@ jobs:
     runs-on: ubuntu-24.04
     if: ${{ github.ref == 'refs/heads/master' && github.repository == 'docker/buildx' }}
     permissions:
+      # same as global permission
+      contents: read
       # required to write sarif report
       security-events: write
     needs:
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index fe687f9a96c..9631b1b3cb2 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -23,6 +23,7 @@ jobs:
   codeql:
     runs-on: ubuntu-24.04
     permissions:
+      contents: read
       actions: read
       security-events: write
     steps:
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
index a5bff97efc9..c1b73a155cd 100644
--- a/.github/workflows/labeler.yml
+++ b/.github/workflows/labeler.yml
@@ -20,6 +20,9 @@ jobs:
   labeler:
     runs-on: ubuntu-latest
     permissions:
+      # same as global permission
+      contents: read
+      # required for writing labels
       pull-requests: write
     steps:
       -